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p/j . Abstract 

Nexus Authorization Logic (NAL) [Schneider et al. 201 1] is a logic for reasoning 
CZ2 . about authorization in distributed systems. A revised version of NAL is given here, 

including revised syntax, a revised proof theory using localized hypotheses, and a new 
Kripke semantics. The proof theory is proved sound with respect to the semantics, and 
CN ' that proof is formalized in Coq. 

>: 
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O ■ 1 Introduction 

!>■ 

£T) " Authorization logics are epistemic logics used to reason about whether principles are per- 

■ mitted to take actions in a distributed computer system. Nexus Authorization Logic (NAL), 

y— I ! invented by Schneider et al. (H, is notable for enabling rich reasoning about axiomatic, syn- 

thetic, and analytic bases for authorization of actions. NAL extends a well-known autho- 
rization logic, cut-down dependency core calculus (CDD) flj. Among other features, NAL 
. *-h . upgrades CDD from having only prepositional variables to having functions and predicates 

^ | on system state. 

The NAL rationale (H gives a natural-deduction proof system for the logic and sketches 
the intuition for a semantics based on the idea of a worldview, which is the set of statements 
that a principle believes, or would be prepared to support. However, neither a formal se- 
mantics nor a proof of soundness is given in the rationale. 

Here, we initiate the formal study of the metatheory of NAL by developing a formal 
semantics and a proof of soundness. Along the way, we streamline NAL in various ways, 
particularly in the syntax (by eliminating second-order quantification) and in the proof sys- 
tem (by localizing hypothetical judgments). We also fix a bug in the original proof system, 
which allowed derivation of a formula that arguably should be considered invalid. 

Since our formalization of NAL differs from that of the NAL rationale, it will be conve- 
nient to have names to distinguish these two formal systems. Henceforth, we write "NALq" 
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to refer to the original formalization of the NAL rationale [8], and "NALi" to refer to the 
new formalization in this paper. 

Our proof of soundness, including the syntax, proof system, and semantics of NALi, 
is formalized in the Coq proof assistant^ The formalization contains about 3,000 lines of 
code. 

This short paper describes our formal syntax, proof system, and semantics for NAL. Fa- 
miliarity with epistemic logics, constructive logics, and their Kripke semantics is assumed. 
Readers who seek background in these areas can consult standard references OlfTOl. 

2 Syntax 

NALi is a constructive, first order, multimodal logic. It has two syntactic classes, terms r 
and formulas <p. Metavariable x ranges over first-order variables, / over first-order func- 
tions, and r over first-order relations. Logical formulas (j> are described by the following 
grammar: 



true 
false 

r(r, ...,r) 

n = t 2 

4>l A (f>2 

4>i v <t>2 

4>1 <t>2 

(Vx : (p) 
(3x : (j>) 
t says <fi 
n ^ r 2 
T\ ^ t 2 on (x 



first-order relation 
term equality 
conjunction 
disjunction 
implication 
negation 

first-order universal quantification 
first-order existential quantification 
affirmation 
delegation 
restricted delegation 



Unlike NALo, formulas of NALi do not permit monadic second-order universal quantifi- 
cation. In NALo, tnat quantifier was used only to define certain connectives, particularly 
delegation, as syntactic sugar. NALi instead adds delegation as a primitive connective to 
the logic. This simplifies the logic from second-order down to first-order, at the small cost 
of adding a few extra axioms to the proof system to handle the delegation primitive. 
Logical terms are described by the following grammar: 



'http : //coq. inria. f r 
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r ::= 



x 



first-order variable 



f(r, • • • 



first-order function 



{x : 0} 



subprincipal 
group principal 



There are some small, unimportant syntactic differences between NALo and NALi. 
The biggest of these is the notation for delegation: NALo uses — K whereas NALi uses ^■ 
to avoid any potential confusion with implication. 

3 Proof System 

The NALi proof system is a natural-deduction proof system, like the NALo proof system. 
But unlike the NALo proof system, which uses hypothetical judgments for proving impli- 
cation introduction, the NALi proof system uses localized hypotheses. 
In NALi, the derivability judgment is written 



where T is a set of formulas. If T h <f>, then <p is derivable from T according to the rules 
of the proof system. Rules for formulas are given in figure [TJ Rules for terms are given in 
figure|2l In those figures, <p[r/x] denotes capture-avoiding substitution of r for x in <fi. 

Most of the proof system is routine. The rules for says use notation p says T, which 
intuitively means that p says all the formulas in set T. Formally, p says T is the set {p says 
4> | 4> G T}. The says rules necessarily differ from the corresponding rules found in NALo 
because of the use of localized hypotheses T. Nonetheless, the NALi rules are essentially 
standard — for example, two of the three rules correspond to standard natural deduction rules 
for a necessity modality [6], and the third rule is symmetric to the second. 

There is one important, deliberate change in the NALi proof system that makes its 
theory differ from the NALo system, which we now discuss. There are two standard ways 
of importing beliefs into a principal's worldview. The first is a rule known as Necessitation: 
"if h p then h p says 4>." The second is an axiom known as Unit: hp=^(p says 4>). 
Though superficially similar, Necessitation and Unit lead to different theories. 

Example 1. Machines M\ and M<i execute processes P\ and P2, respectively. M\ has 
a register R. Let Z be a proposition representing "register R is currently set to zero." 
According to Unit, hZ4 (Pi says Z) and h Z =>■ (P2 sa ys Z). The former means that 
a process on a machine knows the current contents of a register on that machine; the latter 
means that a process on a different machine must also know the current contents of the 
register. But according to Necessitation, if \- Z then h Pi says Z and h Pj says Z. Only 
if R is always zero must the two processes say so. 



r h (f> 
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Unit, therefore, is better used when propositions (or relations or functions) represent 
global state upon which all principals are guaranteed to agree. Necessitation is better used 
when propositions represent local state that could be unknown to some principals. 

NAL was designed to reason about state in distributed systems, where principals (such 
as machines) may have local state, and where global state does not necessarily exist — the 
reading at a clock, for example, is not agreed upon by all principals in NAL. So Unit would 
be an overly strong restriction on NAL principals; Necessitation is the appropriate choice. 
Fortunately, NALo does include Necessitation as an inference rule and does not include 
Unit as an axiom. 

Unfortunately, NALo HI permits Unit to be derived as a theorerrH because of an inter- 
action between Necessitation and the NALo introduction rule for implication. NALi fixes 
this bug and does not permit derivation of Unit. 

4 Semantics 

The semantics of NALi is combination of three standard semantic models: first-order mod- 
els, constructive models, and modal models. This combination is probably not completely 
novel (see, e.g., J4][TT|]), though we are not aware of any authorization logic semantics that 
is identical to or that subsumes our semantics. Our presentation mostly follows the Kripke 
semantics of intuitionistic predicate calculus given by Troelstra and van Dalen [10]. 

Below, we give a moderately pedagogic description of the definition of a semantic 
model for NAL, by building up progressively more complicated models. 

First-order models. A first-order model with equality is a tuple (D,=, R, F). The pur- 
pose of a first-order model is to interpret the first-order fragment of the logic, specifically 
first-order quantification, functions, and relations. D is a set, the domain of individuals. 
These individuals are what quantification in the logic ranges over. R is a set {r, | i G 1} 
of relations on D, indexed by set /, with associated arity function m, such that r» C £) m W. 
Likewise, F is a set {fj \ j E J} of functions on D, indexed by set J, with associated 
arity function n, such that fj E D n ^ — > D. There is a distinguished equality relation =, 
which is an equivalence relation on D, such that equality is indistinguishable by relations 
and functions: 

• if d = d' and d G rj, where \d\ = \d'\ = m(i), then d! £ rj, and 

• if d = d', where \d\ = \d'\ = n(j), then fj(d) = fj(d'). 

Constructive models. A constructive model is a tuple (W, <,s). The purpose of a con- 
structive model is to interpret the constructive fragment of the logic, specifically implication 
and universal quantification, (whose semantics differ from the classical semantics). W is a 
set, the possible worlds. We denote an individual world as w. Intuitively, a world w repre- 
sents the state of knowledge of a constructive reasoner. Relation <, called the constructive 

2 From T infer A says T by SAYS-I. Then infer T => A says T by IMP-I. 
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accessibility relation, is a partial order on W . If w < w' , then the constructive reasoner's 
state of knowledge could grow from w to w' . Function s is called the interpretation func- 
tion. It assigns a first-order model (D w , = w , R w , F w ) to each world w. (Let the individual 
elements of R w be notated as {rj jU , | i G /}, and likewise for F w , as {fj :W \ j E J}.) Thus, 
s enables a potentially different first-order interpretation at each world. But to help ensure 
that the constructive reasoner's state of knowledge only grows — hence never invalidates a 
previously admitted construction — we require s to be monotonic w.r.t. <. That is, if w < w' 
then 

• d = w d! implies d = w > d' , 

• r ijW C r ijW i, and 

• for all d such that \d\ = n(j), it holds that fj, w (d) = w fj, w >(d). 

Constructive modal models. A constructive modal model is a tuple (W, <,s,P, A). The 
purpose of a constructive modal model is to interpret the modal fragment of the logic, 
specifically the says connective and the delegation connectives. The first part of a construc- 
tive modal model, (W, <,s), must itself be a constructive model as above. The next part, 
P, is a set of principals. Note that we treat principals differently than individuals: although 
individuals can vary from world to world in a model, the set of principals is assumed to 
be constant across the entire model. This assumption is consistent with other constructive 
multimodal logics [HJflTI, which have a fixed set of modalities (just □ and CO- However, it 
would be interesting in future work to explore removing this assumption. 

A is a set {A p \ p S P} of binary relations on W, called the principal accessibility 
relations. If (w, w') 6 A p , then in world w, principal p considers world w' possible. Like 

< in a constructive model, we require s to be monotonic w.r.t. each A p . This requirement 
enforces a kind of constructivity on each principal p, such that if p is in a world in which 
individual d is constructed, then p cannot consider possible any world in which d has not 
been constructed. 

Constructive modal models thus have two kinds of accessibility relations, constructive 

< and principal A p . These relations cannot be completely orthogonal: for sake of sound- 
ness, we need to impose four frame conditions that relate constructive accessibility and 
principal accessibility. 

• Fl. If w < w' and (w, v) E A p , then there exists a v' such that v < v' and (w', v') £ 
A p . 

• F2. If (w, v) € A p and v < v', then there exists a w' such that w < w' and 

(w',v') G A p . 

• IT. If (w, v) € A p and (v, u) 6 A p , then there exists a w' such that w < w' and 

(w 1 , u) G A p . 
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• ID. If (w, u) € A p , then there exists a w' and v such that w < w', and (it/, i>) G 
as well as (v, u) G A p . 

The need for these frame conditions originates from the proof system rules for says, es- 
pecially the latter two rules. It's well known in modal logic that axioms and rules about 
modalities correspond to frame conditions on accessibility relations (see, e.g., chapter 3 
of El). IT and ID are intuitionistic generalizations of transitivity and density of the A p re- 
lations. In the presence of Fl and F2, IT and ID are necessary and sufficient conditions for 
the soundness of the says rules — a result that follows from work by Plotkin and Stirling |P71 . 
Furthermore, Fl and F2 are arguably the right fundamental frame conditions to impose in 
a constructive modal logic [9]. In the case of NAL, we could actually remove Fl without 
suffering any unsoundness or incompleteness. (Fl is needed only to show soundness of a 
modality, which does not exist in NAL.) However, the others — F2, IT, and ID — are all 
necessary to impose in NALi. 

NAL models. A NAL model is a tuple (W, <,s,P, A, V, _L, SUB). The purpose of a NAL 
model is to interpret NAL formulas. Specifically, it adds machinery to interpret group and 
subprincipals. The first part of a NAL model, (W, <,s,P, A), must itself be a constructive 
modal model as above. 

The next part of a NAL model, (V, _L), is used to interpret group principals. Specifically, 
(P, V) must be a join semilattice, with _L as its bottom element. (Thus, _L is a principal. 
Its intended use is as a principal who believes only tautologies. We do not require the 
existence of a top element in the lattice, because there is no need for such an element in 
the semantics.) Join operator V is used to take disjunctions of principals — intuitively, p\/ q 
is the principal who believes those statements that either p or q believe, or statements that 
logically follow from those. Formally, we require that, for all principals p and q, it holds 
that A pWq C A p . 

The SUB part of a NAL model is used to interpret subprincipals. Intuitively, it requires 
the existence of a distinguished first-order function sub w of type P x D w — > P at each 
world w. Further, we require that if sub w (p, d) = q, then A p D A q , ensuring that super- 
principals speak for subprincipals. Since sub w is a function, it must obey the requirement 
of monotonicity w.r.t. constructive accessibility relation <, just as all other functions fj >w 
must in a constructive model. 

NAL models for Coq. Finally, a NAL model for Coq is a NAL model extended with a 
pair of sets A and IT This is a technical extension that unfortunately seems to be necessary 
in order to express something that is, in actuality, fairly simple set theory. We'd like to 
require that set P of principals be a subset of every domain D w in a NAL model, such 
that there is one unchanging set of principals throughout the model. Expressing that idea 
in Coq's type theory turns out to be quite difficult, so we instead stipulate the existence of 
two sets of coercion functions, A and II, between principals and individuals. A is a set 
{5 W : P — > D w | w G W} of coercion functions that map principals to individuals. Since 
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every principal should be represented by a unique domain element, we require each 5 W to be 
injective. II is a set {ir w : D w — > P \ w G W} of coercion functions that map individuals 
to principals. If individual d does not represent a principal, then 5 w (d) is _L. 

Given these coercion functions, it is possible to define equality =p of principals in 
terms of equality of individuals: p =p q iff for all w, 5 w (p) = w 5 w (q). 

NAL semantics. We give a semantics of NALi in figure [3] The validity judgment is 
written 

M, w, v \= <fi 

where M is a NAL model for Coq and w is a world in that model. Function v is a valuation 
mapping first-order variables to individuals; it is used to interpret first-order quantification. 
The semantics also relies on an interpretation function fj,, defined in figure [4] that maps 
syntactic terms r to individuals. 

The first-order constructive fragment of the semantics is routine. The semantics of says 
follows from the semantics of a □ modality in constructive modal logic (HdH. The se- 
mantics of delegation ^> follows from a standard definition in authorization logics [2]. The 
semantics of restricted delegation is similar to one presented by Howell 0, and it is a 
generalization of the semantics of unrestricted delegation. (To see this, take w'" in the se- 
mantics of restricted delegation to be the w" from the semantics of unrestricted delegation. 
Then w'" equals w" , hence is in the same equivalence class.) Restricted delegation uses 
an equivalence relation =^.^ on worlds. Intuitively, this relation is used to partition worlds 
into equivalence classes that agree on the validity of formula <j) in all valuations, assuming 
the existence of individuals D w . Formally, define w' w" to hold iff 

VdeD w : (Vu : M, w',v[d/x] \= 0) 

O : M,w",v[d/x] \= (j)). 

The interpretation function is also routine, except for the interpretation of group princi- 
pals. That interpretation is similar to the algebra of principals defined in the ABLP logic (H. 

5 Soundness 

The soundness theorem for NALi states that if <ft is provable from assumptions T, and that 
if a model validates all the formulas in T, then that model must also validate <fi. Therefore, 
any provable formula is semantically valid. 

Theorem 1 (Soundness). IfF\-<p and for all ip G F, it holds that M,w,v \= ip, then 
M, w, v \= 4>. 

A Coq mechanization of the proof of Soundness is in progress. Currently, it contains 
about 3,000 lines of code and implements all of the proof except for the cases of delegation 
and restricted delegation. 

The current proof also requires adding an additional assumption as an axiom: for all 
w and w', if w < w', or if there a exists p such that (w,w') € A p , then it must hold 
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that /j,(M,w,v)(t) = p,(M,w' \v){t). This axiom is actually provable as a theorem for 
all terms r except for group principals. Discharging this assumption for group principals 
remains an open problem. 
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r,0h0 



r h 



r h false 

T h true r h 

r h rhy; r h a y> r h a y> 

r h a v r h ^ r h v 

r h 0i r h 2 r h 0! v 02 r, 01 h y> r, 2 1- V> 



r h 0i v 02 r h 0! v 02 r h v 

r,0 h y> rh0 r h ^ y> 

r h v r h v 

r,0h false rh0 rh^0 



r h -0 r h false 

Th0 x(£FV(T) rh(Vx:0) 
r h (Vx : 0) r h 0[r/x] 

r h 0jr/x] Th(3x:0) T,0hV x0FF(r,V) 
r h (3x : 0) FP^ 

r h p says r h rhp says 



p says r h p says p says r h p says p says T h p says 
Figure 1: Deri vability judgment for formulas 
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r h ti = r 2 r h ti = r 2 T h r 2 = r 3 

T\-t = t r h r 2 = n T\-t 1 = t 3 

T\~ T\= T[ ... T\~ T n = 



F\-f(T 1 ,...,T n ) = f(r[,...,T^ 

rhr(n,...,r n ) rhn = r{ ... rhr ffi = < 

rhr(r[,...,<) 

T h r 2 says n ^ r 2 £ h r 2 says n ^ r 2 on (x : <p) 
r h n ^ t 2 r h ri ^ r 2 on (x : 0) 

r h n ^ r 2 ri-risays^ r h n e> r 2 on (x : </>) r h n says <£[t/x] 



r h r 2 says <p T h r 2 says <f>[r/x] 



Thr^r rhr^ron(x:0) 

rhn^T 2 r h r 2 ^ r 3 r h n ^ r 2 on (x : 0) r h r 2 ^ r 3 on (x : <p) 
r h n ^ T3 r h ri ^ 73 on (s : (/)) 

Th0[r/x] T,0hx^r x0FF(r) 
r h r {x : </>} r h {x : 0} ^ r 



r h n ^ ri.r 2 

Figure 2: Derivability judgment for terms 
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M,w, 


V 


\= true 




always 




M,w, 


V 


|= false 




never 




M,w. 


V 


h= n(j) 


iff 


h(M,w,v)(t) G r i>w 




M,w. 


V 




iff 


fi{M,w,v){T) = w h(M,w,v)(t') 




M,w, 


V 




iff 


M,w,v \= 4>\ and M,w,v \= 4> 2 




M,w, 


V 




iff 


M,w,v \= 4>\ or M,w,v \= (f> 2 




M,w, 


V 


\= 4>i => 4>2 


iff 


for all w' > w : M, w', v \= <pi 












implies M, w',v \= <fi 2 




M,w, 


V 




iff 


for all w' > w : M, w', v \£ <ft 




M,w, 


V 


\= (Vx : 0) 


iff 


for all w' > w,d G D w > : M, w' , v 


[d/rr] |= 


M,w. 


V 




iff 


there exists d G D„, : M,w,v[d/x 


! M 


M,w. 


V 


\= t says 4> 


iff 


for all w',w" : w < w' and (it/, it/') G ^4 m (m, 










implies M, w",v \= 4> 




M,w. 


V 


\= n e> t 2 


iff 


for all it/, w" : (it/, it/') G A^ M>W 












implies (it/, it/') G ^ (M)tt) ^ )(Tl) 




M,w. 


V 


\= ti ^ r 2 on (a; 


:<t>) iff 


for all u;', it/' : (V, it/') G A^ (Mitt) 


,v)(t 2 ) 










there exists it/" : to" it/" 












and (it/, it/") G ^(m,™,^) 





Figure 3: Validity judgment 



n(M,w,v)(x) = v(x) 

v{M,w,v)(fj(T)) = f j:W (fi(M,w,v)(T)) 

h(M,w,v)(ti.t 2 ) = sub w (fi(M,w,v)(Ti),n(M,w,v)(T 2 )) 

fj,(M,w,v)({x : <fi}) = (V p : M,w,v\p/x] \= (j) : p) 

Figure 4: Interpretation function 
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